Compliance and IT – IT GRC FAQ

Wow, now that is a lot of acronyms in one heading. Let me explain. We often get asked the same frequently asked questions (FAQs) about compliance and IT or the legal aspects of information technology (IT) governance, risk and compliance (GRC). So here are the questions followed by the answer.

Besides exposing the organisation to risk, what worst-case penalties face those that aren’t compliant or practice good governance?

There are actually many criminal offences in our ICT laws – probably too many. The penalty for non-compliance is usually a fine or imprisonment, which means one or both. The fine is usually disproportionately small compared to the time of the prison sentence. For example, R5,000 or 5 years in jail. Anyone would choose to pay the money. The worst case senario of a fine or imprisonment of 10 years. This is both in RICA and POPI. 10 years in jail is pretty serious but there are few (if any) cases where it has actually happened. But it is also about creating business value – practising good IT GRC should result in business benefits or value. That is what organisations should focus on, not the penalties.

Who faces prosecution or penalties if an organisation contravenes IT laws?

Do the authorities now have real power to enforce these laws?

Yes, they do. For example, in POPI the Information Regulator has extensive powers. But if the authority is the SAPS, in reality, they have more serious crimes to deal with – like murder, rape etc…

Does enforcement really happen in practice?

Not really. Someone has been convicted of a cybercrime under the ECT Act. But otherwise, there are few examples. Parliament has realised this and has included many other remedies in POPI. Things like administrative fines, and enabling data subjects to take civil action for damages.

Do enterprises have difficulty understanding compliance and IT?

Yes, they do. ICT laws deal with intangible concepts like a data message and electronic communication. It is often very hard to determine the practical implication of an ICT law on a set of facts. The legal aspects are also always changing – for example, the ECT Act is currently being reviewed and updated. Many people also struggle with the relationship (the overlap) between governance, risk and compliance.

Where do they commonly go wrong?

They focus on one law or topic and forget about the rest. Many organisations are focussing on data protection at the moment. Data protection is important, but so is access to information or interception. You cannot focus on one and ignore the rest. Many organisations also focus on IT Governance, and ignore IT Compliance or IT Risk. Compliance and IT is arguably more important than governance.

Organisations should be looking at governance, risk and compliance.

What do they need to do to rectify the situation?

They need to start with awareness. Each organisation should know what IT laws there are in South Africa. And then also know which ones (or which aspects) of those laws are applicable to their organisation. Ignorance of the law is no excuse. Having (and working within the structure of) a framework is then the next step. Organisations also need to know what the risks (for example fines or imprisonment) are associated with non-compliance and then make a call as to whether to comply or not.

Who should drive this?

Ideally an executive – a board member. The relevant director under whom the responsibility for IT falls (like the Financial Director) should attend our one day workshop. And then the compliance officer, legal advisor, or information officer. It is not just a technical issue, so it should not just be the CIO, IT director, or IT manager driving it alone.